SUSE SLED15 / SLES15 / openSUSE 15 Security Update : cosign (SUSE-SU-2025:1333-1)

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:1333-1 advisory. – CVE-2024-6104: cosign: hashicorp/go-retryablehttps: Fixed sensitive information disclosure to log file (bsc#1227031) – CVE-2024-51744: cosign: github.com/golang-jwt/jwt/v4: Fixed bad documentation of error handling in ParseWithClaims leading to potentially dangerous situations (bsc#1232985) – CVE-2025-27144: cosign: github.com/go-jose/go-jose/v4,github.com/go-jose/go-jose/v3: Fixed denial of service in Go JOSE's Parsing (bsc#1237682) – CVE-2025-22870: cosign: golang.org/x/net/proxy: Fixed proxy bypass using IPv6 zone IDs (bsc#1238693) – CVE-2025-22868: cosign: golang.org/x/oauth2/jws: Fixed unexpected memory consumption during token parsing (bsc#1239204) – CVE-2025-22869: cosign: golang.org/x/crypto/ssh: Fixed denial of service in the Key Exchange (bsc#1239337) Other fixes: – Update to version 2.5.0 (jsc#SLE-23476): * Update sigstore-go to pick up bug fixes (#4150) * Update golangci-lint to v2, update golangci-lint-action (#4143) * Feat/non filename completions (#4115) * update builder to use go1.24.1 (#4116) * Add support for new bundle specification for attesting/verifying OCI image attestations (#3889) * Remove cert log line (#4113) * cmd/cosign/cli: fix typo in ignoreTLogMessage (#4111) * bump to latest scaffolding release for…Read More